11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
This requirement focuses on conducting regular penetration testing to identify and address security weaknesses in the organization's systems and network. It ensures that organizations simulate real-world attacks to identify vulnerabilities that might be exploited by attackers to gain access to cardholder data, allowing them to take appropriate actions to protect their network and system components.
Sub-requirements:
- 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity, and includes:
- 11.4.2 Internal penetration testing is performed:
- 11.4.3 External penetration testing is performed:
- 11.4.4 Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:
- 11.4.5 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
- 11.4.6 Additional requirement for service providers
- 11.4.7 Additional requirement for multi-tenant service providers only
11.4. Intrusion-detection and/or intrusion-prevention techniques are used to monitor all traffic at the perimeter and at critical points.
Ensure that IDS/IPS solutions are deployed, maintained, and monitored to detect and respond to potential intrusions.
Key Risks
Frequently Asked Questions
What is the difference between IDS and IPS?
IDS detects and alerts on suspicious activity, while IPS can also block or prevent malicious traffic.
Where should IDS/IPS be deployed?
At the network perimeter and at critical points within the cardholder data environment.
How are IDS/IPS signatures maintained?
Through regular updates and tuning to ensure detection of the latest threats.
How are IDS/IPS alerts handled?
They are monitored and escalated to security personnel for investigation and response.
How often should IDS/IPS be tested?
At least annually, and after significant changes to the environment.
Common QSA Questions
Can you show evidence of IDS/IPS deployment and monitoring?
Yes, we have deployment diagrams, alert logs, and incident response records.
How are IDS/IPS signatures updated?
We use automated updates and manual reviews to ensure signatures are current.
How are IDS/IPS failures detected and responded to?
We monitor IDS/IPS health and have procedures for prompt response to failures.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy